Public bug reported: ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps.
##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ```bash cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ``` ** Affects: snapd Importance: Undecided Status: New ** Description changed: ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. + + If any additional information is needed I'd be more than happy to + provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ``` cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ``` ** Description changed: ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: - ``` + ```bash cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ``` ** Description changed: ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: + + ```bash cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ``` -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2049099 Title: AppArmor blocking snap install nested in LXD container Status in snapd: New Bug description: ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ```bash cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ``` To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/2049099/+subscriptions
